P
US11765170B2ActiveUtilityPatentIndex 59

Data processing method, system, and apparatus, storage medium, and device

Assignee: TENCENT TECH SHENZHEN CO LTDPriority: May 3, 2017Filed: Mar 9, 2021Granted: Sep 19, 2023
Est. expiryMay 3, 2037(~10.8 yrs left)· nominal 20-yr term from priority
Inventors:ZHOU HONGFEI
H04L 67/60G06F 21/6227H04L 63/0884H04L 63/0428H04L 67/10H04L 9/0897H04L 63/0823G06F 21/78H04L 63/0281H04L 63/0485H04L 63/062H04L 9/0869H04L 63/20
59
PatentIndex Score
1
Cited by
21
References
18
Claims

Abstract

This application discloses a data processing method, system, and apparatus, a storage medium, and a device, and belongs to the field of database technologies. The method includes receiving, a trigger request; triggering, according to the trigger request, the first cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, the operating policy indicating an operation policy of the first cloud encryptor. The method further includes receiving a data processing request from the client; sending first data that the data processing request requests to process and the data key identifier in the encryption data dictionary to the first cloud encryptor. The method further includes implementing the operating policy, processing the first data, and responding to the data processing request by using the second data.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A data processing method, applied to a cloud manager of a data processing system, the data processing system further including a cloud encryptor and a database proxy, and the data processing method comprising:
 receiving a trigger request from a client; and 
 in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, 
 wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor, 
 wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy, 
 wherein the database proxy responds to the data processing request by using the second data, 
 and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior. 
 
     
     
       2. The data processing method of  claim 1 , wherein the data processing system further includes a USB key connected to the client, the method further comprising:
 sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed; 
 receiving from the cloud encryptor the data key identifier and the data key seed as encrypted; 
 sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage. 
 
     
     
       3. The data processing method of  claim 1 , wherein the trigger request includes a first trigger request and a second trigger request, the method further comprising:
 triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and 
 triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary. 
 
     
     
       4. The data processing method of  claim 3 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor, the method further comprising:
 instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor; 
 receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and 
 instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage. 
 
     
     
       5. The data processing method of  claim 3 , further comprising:
 obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field; 
 sending the second encryption algorithm to the cloud encryptor; 
 receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and 
 writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage. 
 
     
     
       6. The data processing method of  claim 1 , wherein the data processing request includes a data read request or a data write request. 
     
     
       7. A cloud manager of a data processing system, the data processing system further including a cloud encryptor and a database proxy, the cloud manager comprising:
 a processor; and a memory coupled to the processor and storing computer-readable program instructions executable by the processor to perform:
 receiving a trigger request from a client; and 
 in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, 
 wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor, 
 wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy, 
 wherein the database proxy responds to the data processing request by using the second data, 
 and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior. 
 
 
     
     
       8. The cloud manager of  claim 7 , wherein the data processing system further includes a USB key connected to the client, and wherein the computer-readable program instructions are executable by the processor to further perform:
 sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed; 
 receiving from the cloud encryptor the data key identifier and the data key seed as encrypted; 
 sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage. 
 
     
     
       9. The cloud manager of  claim 7 , wherein the trigger request includes a first trigger request and a second trigger request, and wherein the computer-readable program instructions are executable by the processor to further perform:
 triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and 
 triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary. 
 
     
     
       10. The cloud manager of  claim 9 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor and wherein the computer-readable program instructions are executable by the processor to further perform:
 instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor; 
 receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and 
 instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage. 
 
     
     
       11. The cloud manager of  claim 9 , wherein the computer-readable program instructions are executable by the processor to further perform:
 obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field; 
 sending the second encryption algorithm to the cloud encryptor; 
 receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and 
 writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage. 
 
     
     
       12. The cloud manager of  claim 7 , wherein the data processing request includes a data read request or a data write request. 
     
     
       13. A non-transitory storage medium storing a computer program, the computer program, when being executed by a cloud manager of a data processing system, causing the cloud manager to perform:
 receiving a trigger request from a client, wherein the data processing system further includes a cloud encryptor and a database proxy; and 
 in response to receipt of the trigger request, triggering the cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, 
 wherein after receipt from the client of a data processing request requesting to process first data, and in response to determining that the first data matches the encryption data dictionary, the database proxy sends the first data and the data key identifier in the encryption data dictionary to the cloud encryptor, 
 wherein the cloud encryptor implements the operating policy, processes the first data by using the root key seed and the data key seed corresponding to the data key identifier, and sends second data obtained after the processing to the database proxy, 
 wherein the database proxy responds to the data processing request by using the second data, 
 and wherein the cloud encryptor makes a delayed response to a detected behavior indicating illegitimate accessing the root key seed or the data key seed, according to an attack force of the detected behavior, or, destructing the root key seed, the operating policy, the data key seed, or the data key identifier that are stored in the cloud encryptor according to the attack force of the detected behavior. 
 
     
     
       14. The storage medium of  claim 13 , wherein the data processing system further includes a USB key connected to the client, and the computer program further cause the processor to perform:
 sending the data key identifier to the cloud encryptor, wherein the cloud encryptor determines the root key seed and the data key seed according to the data key identifier, encrypts the data key seed by using a root key, and sends the data key identifier and the data key seed as encrypted to the cloud manager, the root key being generated based on the root key seed; 
 receiving from the cloud encryptor the data key identifier and the data key seed as encrypted; 
 sending the data key identifier and the data key seed as encrypted to the client, wherein the client writes the data key identifier and the data key seed as encrypted into the USB key for backup storage. 
 
     
     
       15. The storage medium of  claim 13 , wherein the trigger request includes a first trigger request and a second trigger request, and the computer program further cause the processor to perform:
 triggering, according to the first trigger request, the cloud encryptor to store the root key seed and the operating policy; and 
 triggering, according to the second trigger request, the cloud encryptor to store the data key seed and the data key identifier, and triggering the database proxy to store the encryption data dictionary. 
 
     
     
       16. The storage medium of  claim 15 , wherein the cloud encryptor is a first cloud encryptor, and the data processing system further includes a second cloud encryptor, the computer program further cause the processor to perform:
 instructing, according to the first trigger request, the client to select a first encryption algorithm, and to send the first encryption algorithm to the second cloud encryptor; 
 receiving the root key seed sent by the second cloud encryptor, the root key seed being generated by the second cloud encryptor, and the root key seed carrying a flag bit indicating the first encryption algorithm; and 
 instructing the client to select the operating policy, and to send the root key seed and the operating policy to the first cloud encryptor for storage. 
 
     
     
       17. The storage medium of  claim 15 , wherein the computer program further cause the processor to perform:
 obtaining a data dictionary of the database through the database proxy according to the second trigger request, and instructing the client to select a second encryption algorithm and an encryption granularity, the encryption granularity being one of a database, a table, and a field; 
 sending the second encryption algorithm to the cloud encryptor; 
 receiving the data key identifier sent from the cloud encryptor, the data key identifier being sent after the cloud encryptor generates the data key identifier and the data key seed, and the data key seed carrying a flag bit indicating the second encryption algorithm; and 
 writing the data key identifier and the encryption granularity into the encryption data dictionary, and sending the encryption data dictionary to the database proxy for storage. 
 
     
     
       18. The storage medium of  claim 13 , wherein the data processing request includes a data read request or a data write request.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.